Different approaches in focus following January attack on MJ Freeway

Part II: Different approaches to cyber security in focus following January attack on MJ Freeway

MJ Freeway is keeping the details of its investigation close to the vest, but the company says there’s no doubt the cyberattack that brought down its entire system on Jan. 7 was “malicious and criminal.”

According to Jeannette Ward, vice president of global marketing and communications, the January attack seems to have been an attempt to destroy data rather than to extract it.

“That’s what makes is so unusual,” Ward says. “This attack was about corruption.”
Ward says the attack affected MJ Freeway’s systems across multiple platforms, geographical locations and hosting companies, affecting both the live production servers as well as “multiple redundant backup sites.”

The corruption damage impacted everything, Ward says.

Along with its internal people, the company hired the Crypsis Group to investigate the incident, which it concluded to be a “sophisticated, criminal cyber-attack,” Ward says. All the IT forensics have been turned over to law enforcement authorities, so Ward declined to comment on the specifics of how the attack occurred, but confirmed that no customer data was extracted. MJ Freeway has been working with customers since to recover the data and has been able to piece together about 70% of the damaged information thus far (see sidebar).
Ward describes the company’s security as “very robust” prior to the attack, but says MJ Freeway has increased its security measures further in the months since. She declined to address specifics.
“We upgraded security and we really believe it is the best in the industry,” she says.

But January’s attack on one of the industry’s most widely used tracking systems, which affected more than 1,000 retailers across the country, was another reminder that cybersecurity is not just about protecting your data, but your business in general.
The attack has prompted numerous businesses — including clients of MJ Freeway and other competitors — to reevaluate their service providers. A wide variety of companies offer different solutions for keeping digital data safe in an age filled hackers and bad actors. And though no system promises perfect security, businesses need to consider what security structure best fits their needs.

Piecing it back together
By Brian Beckley

The attack on MJ Freeway in January forced many retail stores to close their doors or switch to a pen-and-paper method of tracking sales in order to continue servicing their customers.

While the company was able to get its system back up and functioning relatively quickly, the true nature of the attack was on MJ Freeway’s data. Although it was encrypted and not extracted by the hackers, the data was corrupted across multiple redundant back-ups located at multiple geographical locations through multiple hosting companies, according to Jeanette Ward, the company’s vice president of global marketing.
Following the attack, MJ Freeway has been working with customers and IT experts to recover the client data. The MJ Freeway IT group split into three teams with three goals: Fixing the system, investigating the incident, and working with clients to get them back online and retrieve their data.
Ward says it took longer than expected to get everyone back online because the teams worked one-on-one with clients to make sure no generic passwords were issued. She admits it may have seemed like “an eternity,” but says it was the most secure way to bring everyone back up and running.
Ward says the company has now been able to retrieve much of the historical data that had been corrupted.
“The majority of clients have this archived data accessible to them,” she says.
To retrieve this corrupted data, Ward says MJ Freeway ran hundreds of servers concurrently, piecing the data back together like a puzzle with non-corrupted sections from each server providing the parts to make up a new whole.
“So you’re trying to take the pieces that aren’t corrupt and put back together a complete, uncorrupted picture,” she says.
As of early March, 70% of the data had been recovered using the piecemeal approach.

Retrieving as much data as possible remains the company’s top priority, Ward says.
MJ Freeway credited all customers for January due to the attack, which helped the tech firm retain a large number of its clients through the attack and aftermath.
“As much as it hurt us as a business … we’re more concerned about the impact it had on our clients,” Ward says, adding that reports of the number of customers that have dropped MJ Freeway are overblown. “We aren’t going anywhere.”

Cloud vs. Server
While MJ Freeway and several other tracking and security systems use a cloud- and/or web-based model for access, others, such as BioTrackTHC have opted for local server-based systems that licensees maintain on-site.
With the BioTrack system, each employee has a unique PIN with which they access the system and access to the server is tied to an IP address. The client has to purchase the server, which connects to the larger BioTrack system through a secure interface, transmitting only specific data to the state, while maintaining the bulk of information locally. Full audit logs are also created for all inventory, showing which employee made what change at what time.
According to BioTrack vice president of government solutions Dan McMahon, hacking is “bound to happen,” but having data stored in-house, instead of backed up on the cloud, is an expense paid off in peace of mind. Cybersecurity, he says, is all about minimizing risk.
“It would have been a lot cheaper to go the cloud route,” McMahon says, but the in-house hardware means someone would have to physically take the computer to get the data inside.
McMahon says he has nothing but respect for MJ Freeway because he knows the challenges tech companies face. Post-crash, BioTrack conducted a review of its own systems and McMahon says the Florida-based company increased security across the board.

On the cloud-based side, Darin Velin and the team at Dauntless Software also cite their experience as a difference-maker. Dauntless employees have a combined 75 years of experience at tech giant Microsoft, where they built attendance tracking tools that used smart card technology in employee badges — technology they applied later applied to TraceWeed, their own cannabis tracking system.

TraceWeed is neither a web-based product like MJ Freeway, not tied to in-house servers like BioTrack. It connects with the cloud through specific, known devices and by specific employee access cards only. Administrators can manage permissions at each level of the system for each employee.
“We use smart card and hardware authorization instead of browser-based password authentication,” TraceWeed CEO Clark Musser said in a post on the company’s blog in January.
The two-factor system is point-to-point and access cannot even be gained through other TraceWeed systems because everything has to match up. It is not unlike what is seen in movies when two keys need to be turned in order to launch missiles, says Velin, the company’s director of community relations.

“That’s what makes TraceWeed so secure,” he adds. “With anything that’s web-based, there’s always ways to get in.”
Not surprisingly, the company uses Microsoft’s Azure system for its cloud-based service. The data is fully encrypted and, like BioTrack, the information sent to the state systems can be limited in comparison to the full data available to the client.
“We only send the data that’s necessary,” Velin says

The TraceWeed system grew out of the work the team did at Microsoft. Looking to take their expertise to the field of traceability, the team founded Dauntless Inc., and developed the patent-pending TapNTrace system to track traditional agricultural products like cattle, coffee and apples. It used the same near field communications software as the employee tracking badge.
The TapNTrace system sits at the heart of the larger TraceAgri product, which can be used to track traditional agricultural products from “farm to fork” through PC and smart phone apps. Changes made through the app are automatically synced with the database. Access to the apps is allowed only through authorized devices and access cards.
When voters in the Evergreen State approved recreational cannabis that required a tracking system, Velin and his team saw their opportunity, setting out to build TraceWeed for producers and processors.
Velin says the company’s technology tracks every plant, but allows for entire rooms or other sub-sections of plants to be scanned at once through a room tag option that will even keep track of multiple strain subsets within each room. He describes the TraceWeed software as “true traceability,” not just compliance.

Refocusing
Many other companies in the traceability side of the business use similar methods.

WeedTraQR president David Busby says his company’s security structure was more like MJ Freeway’s than BioTrack’s in that it uses a web application to access a cloud-based service.

Busby declined to discuss the specifics of his company’s security structure, but says all companies in the space should consult with cybersecurity experts. Two main pieces of advice he gives are to use “SSL everywhere” and to use “default restrictive” firewall rules, so if there are any questions about access, the default setting is to deny.

At GrowFlow, chief technology officer Tom Wilson says the security architecture is also similar to MJ Freeway’s, but, like Traceweed, his company uses Microsoft’s Azure service instead of Amazon. GrowFlow also uses BioTrack’s API to connect with state systems.

Ward says she believes MJ Freeway was targeted because it’s one of the highest profile names in the space and it was the easiest way to make a point, but she can’t say for sure.
“The bottom line is I don’t know,” she says. “Sometimes hackers just go after the big dog because you get more press.”
Without going into details in order to keep the changes as secure as possible, Ward says MJ Freeway took efforts to increase its own security following January’s attack. The entire system has been shifted to Amazon Web Services, which Ward calls “the best of the best.” Additional password and ID measures have also been enacted.
Among other changes, MJ Freeway now uses a two-factor identification system, as well as a change that requires two people logged in at the same time to access what Ward described as the most sensitive data.
While it’s not perfect, tech experts agree that no system is completely without flaws, whether it’s cloud-based, web-based or whether servers are physically located at a business.
“No one can say you are 100% protected from a cyber-attack,” Ward says. “That’s just not possible.”
Velin agrees, noting that any computer can be hacked if access is available.
If there’s one good thing that came from the MJ Freeway crash, it’s that almost every tech company in cannabis took the hint to reevaluate their own systems and procedures to try and stay one step ahead of those looking to break into their data or bring down their systems.
“It’s always changing,” McMahon says. “It’s never going to be good enough.”

This is the second of a two-part series covering the January 2017 MJ Freeway crash and the role of cybersecurity in the cannabis space. Part I appeared in the March 2017 issue of Marijuana Venture magazine.